Security management
Secure development lifecycle
To ensure the security, integrity, auditability, and reliability of the software development process and the final product, we introduce a set of practices throughout the entire development lifecycle. The scope and the character of these security practices are traditionally dictated by data privacy and security standards and requirements relevant to each client engagement.
0
Training
Signing NDA and training employees
1
Initiation
Managing the customer’s security concerns and deciding on the development environment
2
Requirements analysis & design
Identifying security requirements for the project and establishing sensitive data management practices
3
Planning
Planning the project considering secure development practices
4
Implementation
Conducting security briefing for the development team and following established development practices, guided by tech supervision
5
Delivery
Conducting pre-delivery code review
0 Training
Signing the corporate NDA & network usage policy
All of Itransition’s employees and contractors sign an NDA agreement and network usage policy when onboarding and resigning a contract of employment. This practice helps maintain client confidentiality, protect the intellectual property of the company and our clients, and strictly controls access to sensitive information.
Educating on secure development principles
Aside from the scope of a specific project, each specialist holding a tech position continuously participates in internal security readings, training sessions, and developers’ meetings to be familiar with the general principles of secure development and specific security standards. As part of the corporate developer qualification system, developers are evaluated against a set of metrics, including adherence to security requirements. Such an approach helps us strengthen the security mindset and minimize the risk of security incidents.
1 Initiation
Handling extra security concerns
If our clients have additional concerns about the security and privacy of the data they transfer to us, we propose a set of measures to address them. Such activities can include signing a special NDA, establishing a custom project environment, and signing additional terms of data transferring and handling between a client and the company.
Deciding on the development environment
We decide on the basic aspects of the development environment to ensure the project's security and proactively address security considerations:
- Environment ownership or whether the development environment will be provided and managed by the client, Itransition, or a third-party vendor
- Components, technologies, and frameworks that will be used during the project, factoring in their compatibility, functionality, maturity, and security capabilities
- Security controls and access management to establish user accounts for all parties involved in the project and protect the development environment from unauthorized access
- Security and compliance requirements that define the configuration of the development environment
2 Requirements analysis & design
To reduce the risks of design and implementation errors, we identify security requirements and establish the general security management approach at the project’s early stages.
Identifying security & privacy requirements
We identify, clarify, and document requirements and potential risks related to security through discussions with project stakeholders and a careful analysis of the client’s IT environment and business workflows, including:
- Client industry and solution type to outline its purpose, functionality, and threat landscape
- Data sensitivity and privacy or whether it includes personally identifiable information, confidential or private information, and financial records
- Applicable territory/industry standards, such as HIPAA, GDPR, and PCI DSS
Identifying & documenting sensitive information assets
We prepare a registry with all the sensitive information assets that our clients hand over to us during the project to guarantee that all sensitive data will be properly returned, erased, or disposed of at the end of the project.
Furthermore, we provide all parties involved in the project with the general guidelines for managing such data during the development lifecycle.
3 Planning
Planning secure development practices
We identify and plan particular practices and activities to run at each development stage, making sure we dedicate enough time and effort for this process.
4 Implementation
Security briefing for the team
Once the development team is assembled, we share the following information with all team members:
- The development approach and practices, as well as tools selected for the project
- Specific security standards applicable to the project
- Extra security requirements, rules, and restrictions that must be understood and followed
Using approved development tools
We use an approved list of development tools and maintain unified configuration templates to enforce security practices and automate the creation and maintenance of the deployment and development environment. Our tech experts also regularly review and update the list of tools to assess their compatibility with the project’s requirements and make sure the latest and most stable tool versions available are used.
Following established development practices
We rely on Itransition’s proprietary development practices and coding standards alongside specific country/industry/customer requirements. Some of the most common practices we execute throughout the implementation phase are:
- Using a version control system for code management
- Setting up a code verification process with unit testing, code reviews, continuous integration, and static analysis
- Tracking, estimating, and managing accumulated technical debt
Leveraging internal technical supervision
As standard technical coordination practice, we appoint internal auditors to all company projects by default. They supervise the development process end-to-end to assure the project activities are aligned with the set requirements and applicable standards, identify issues overseen due to creator’s bias, and get insights into the project.
5 Delivery
Conducting pre-delivery code review
Even though we regularly perform code reviews during the implementation phase, we conduct a final review to make sure that:
- There is no unused code stored in the repository that can expose software to security risks
- Security credentials, access keys, license keys, and other sensitive project values are not hardcoded or stored in plain form
- Configuration values from development, staging, and production environments are stored separately with strict access control
Key security metrics
To identify security weaknesses and vulnerabilities within the SDLC and assess the effectiveness of the implemented practices, we set up security checkpoints based on the following set of metrics
Threat modeling
- Number of threat modeling activities conducted
- Number of identified threats per model
- Severity of identified threatsÂ
- Time to mitigate identified threats
- Threat model review cycle time
Code reviews
- Number of code reviews conducted
- Number of findings from code reviews
- Code review coverage
- Code review efficiencyÂ
- Code quality improvement
Security testing
- Number of findings from penetration testing and vulnerability scanning
- Number of findings remediated
- Number of recurring findings
- Time to remediate a vulnerability
- Security testing coverage
Training activities
- Number of training activities conducted
- Training participation rate
- Training effectiveness score
- Incident reporting rate
Industry controls & frameworks we adhere to
About Itransition
IT consulting software development services since 1998
ISO 27001-certified security management system
Quality-first approach based on a robust ISO 9001-compliant quality management system
Certified security engineers, consultants, administrators, testers, and auditors